[GIT PULL nf] IPVS fixes for v3.17

[GIT PULL nf] IPVS fixes for v3.17

[Simon Horman]

Hi Pablo,

please consider this IPVS fix for v3.17.

It allows CHECKSUM_PARTIAL to work in conjunction with
TCP/UDP csum offlad and the tunnel forwarding mechanism
provided by IPVS.

I suspect that this problem has existed for as long
has IPVS has been present in the kernel: some time before
git epoch of the git history in Linus's tree.

I would like this change considered for -stable.

It appears to apply and build cleanly against v3.16.1 and v3.14.17.

I can work on patches for older versions if you think it is appropriate.


The following changes since commit d1c85c2ebe7ffe1f1b27846bd1ba0944c513d822:

  netfilter: HAVE_JUMP_LABEL instead of CONFIG_JUMP_LABEL (2014-08-25 10:45:28 +0200)

are available in the git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs.git tags/ipvs-fixes-for-v3.17

for you to fetch changes up to ea1d5d7755a3e556de78cc757d1895d5c7180548:

  ipvs: properly declare tunnel encapsulation (2014-08-27 14:31:56 +0900)

----------------------------------------------------------------
Julian Anastasov (1):
      ipvs: properly declare tunnel encapsulation

 net/netfilter/ipvs/ip_vs_xmit.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

Julian Anastasov (1):
  ipvs: properly declare tunnel encapsulation

 net/netfilter/ipvs/ip_vs_xmit.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

-- 
2.0.1

[PATCH nf] ipvs: properly declare tunnel encapsulation

[Simon Horman]

From: Julian Anastasov <ja@ssi.bg>

The tunneling method should properly use tunnel encapsulation.
Fixes problem with CHECKSUM_PARTIAL packets when TCP/UDP csum
offload is supported.

Thanks to Alex Gartrell for reporting the problem, providing
solution and for all suggestions.

Reported-by: Alex Gartrell <agartrell@fb.com>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Alex Gartrell <agartrell@fb.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
 net/netfilter/ipvs/ip_vs_xmit.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 6f70bdd..56896a4 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -38,6 +38,7 @@
 #include <net/route.h>                  /* for ip_route_output */
 #include <net/ipv6.h>
 #include <net/ip6_route.h>
+#include <net/ip_tunnels.h>
 #include <net/addrconf.h>
 #include <linux/icmpv6.h>
 #include <linux/netfilter.h>
@@ -862,11 +863,15 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
 		old_iph = ip_hdr(skb);
 	}
 
-	skb->transport_header = skb->network_header;
-
 	/* fix old IP header checksum */
 	ip_send_check(old_iph);
 
+	skb = iptunnel_handle_offloads(skb, false, SKB_GSO_IPIP);
+	if (IS_ERR(skb))
+		goto tx_error;
+
+	skb->transport_header = skb->network_header;
+
 	skb_push(skb, sizeof(struct iphdr));
 	skb_reset_network_header(skb);
 	memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
@@ -900,7 +905,8 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
 	return NF_STOLEN;
 
   tx_error:
-	kfree_skb(skb);
+	if (!IS_ERR(skb))
+		kfree_skb(skb);
 	rcu_read_unlock();
 	LeaveFunction(10);
 	return NF_STOLEN;
@@ -953,6 +959,11 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
 		old_iph = ipv6_hdr(skb);
 	}
 
+	/* GSO: we need to provide proper SKB_GSO_ value for IPv6 */
+	skb = iptunnel_handle_offloads(skb, false, 0); /* SKB_GSO_SIT/IPV6 */
+	if (IS_ERR(skb))
+		goto tx_error;
+
 	skb->transport_header = skb->network_header;
 
 	skb_push(skb, sizeof(struct ipv6hdr));
@@ -988,7 +999,8 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
 	return NF_STOLEN;
 
 tx_error:
-	kfree_skb(skb);
+	if (!IS_ERR(skb))
+		kfree_skb(skb);
 	rcu_read_unlock();
 	LeaveFunction(10);
 	return NF_STOLEN;
-- 
2.0.1

Re: [GIT PULL nf] IPVS fixes for v3.17

[Pablo Neira Ayuso]

On Wed, Aug 27, 2014 at 03:15:14PM +0900, Simon Horman wrote:
> Hi Pablo,
> 
> please consider this IPVS fix for v3.17.
> 
> It allows CHECKSUM_PARTIAL to work in conjunction with
> TCP/UDP csum offlad and the tunnel forwarding mechanism
> provided by IPVS.
> 
> I suspect that this problem has existed for as long
> has IPVS has been present in the kernel: some time before
> git epoch of the git history in Linus's tree.
>
> I would like this change considered for -stable.

The generic iptunnel infrastructure is quite recent. For example,
iptunnel_handle_offloads() is available since 3.13. You'll need to
prepare a backport of this for -stable kernels.

[...]
> The following changes since commit d1c85c2ebe7ffe1f1b27846bd1ba0944c513d822:
> 
>   netfilter: HAVE_JUMP_LABEL instead of CONFIG_JUMP_LABEL (2014-08-25 10:45:28 +0200)
> 
> are available in the git repository at:
> 
>   https://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs.git tags/ipvs-fixes-for-v3.17

Pulled, thanks.